VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” the virtualization software and services firm noted in its advisory.
Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.
While the company said patches for the flaw are “forthcoming,” it didn’t specify an exact date by when it’s expected to be released. It’s unclear if the vulnerability is under active attack.
The complete list of products affected are as follows:
- VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows)
- VMware Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows)
- VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)
- VMware Identity…